On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health record that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  16 C.F.R. §§ 318.3, 318.5.  Third-party service providers also are required to notify covered vendors of any breach.  16 C.F.R. § 318.3.

The policy statement takes a broad view of when health apps and connected devices are covered by the Rule.  Specifically, the policy statement broadly construes when health apps and connected devices are subject to provisions that apply to “vendors of personal health records that contain individually identifiable health information created or received by health care providers.”

  • First, the policy statement takes the view that a developer of any digital health solution that is “capable of drawing information from multiple inputs” is a vendor of a personal health record.  Indeed, the policy statement asserts that a health app or connected device that draws information from multiple sources is covered so long as it draws health information from at least one source.  According to the statement:  “For example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar), it is covered under the Rule.”
  • Second, the policy statement takes the position that the developer of a health app or connected device – even one that is not a covered entity for purposes of HIPAA – is a “health care provider” because it “furnish[es] health care services or supplies.”

Additionally, the policy statement takes a broad view of what triggers breach notification requirements when the Rule is applicable.  Specifically, the policy statement states that there is a “breach of security” for purposes of the Rule “[w]hen a health app, for example, discloses sensitive health information without users’ authorization.” The policy statement notes that the FTC intends to seek civil penalties for violations.  Entities that violate the Rule face civil penalties of $43,792 per violation per day.

During the meeting, FTC Chair Lina Khan described the policy statement as consistent with previous guidance, however Republican Commissioners Noah Phillips and Christine Wilson argued that this interpretation may exceed the scope of the Rule, among other concerns.  For example, Commissioner Phillips wrote that the majority’s “reading of the relevant texts is convoluted, and apparently beyond what Congress, the Commission, and sister agencies had in mind in drafting them.”  Among other points, Commissioner Phillips noted that the FTC specifically declined to include counts alleging violations of the Rule in a complaint earlier this year against Flo Health, despite contrary arguments by two Commissioners.  In a  separate rulemaking process, the Department of Health and Human Services (“HHS”) is undertaking how to define and treat mobile health applications under its HIPAA Privacy Rule.

Print:
EmailTweetLikeLinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.